Conventional firewalls rely on the notions of restricted topology and control entry points to function. More precisely, they rely on the assumption that everyone on one side of the firewall is to be trusted, while those on the other side are not. The vastly expanded Internet connectivity in recent years has called that assumption into question. So-called “extranets” can allow outsiders to reach the “inside” of the firewall. Conversely, telecommuters' machines that traditionally do not have the protection of a firewall use the Internet for connectivity. These machines in particular need protection when encrypted tunnels are not in place. Other trends are also threatening the traditional notion of firewalls. For example, some machines need more access to the outside than do others. Conventional firewalls are not suited to deal with these types of problems, especially as internally assigned Internet Protocol (IP) addresses change. End-to-end encryption is another threat, since the firewall generally does not have the necessary codes (or keys) to peer through the encryption.
In an attempt to solve some of these problems, the notion of a “distributed firewall” was created. Instead of having a single firewall existing at some controlled access point to the network, each network device would be equipped with its own firewall. A distributed firewall preserves central control of access policy, while reducing or eliminating any dependency on topology. In such a scheme, policy is still centrally defined. Enforcement of the policy, however, takes place on each endpoint. In this manner the advantages of conventional firewalls are maintained while avoiding most of the associated limitations, most notably the dependency on topology.
One example of a distributed firewall is described in U.S. Pat. No. 5,606,668 titled “System for Securing Inbound and Outbound Data Packet Flow in a Computer Network.” The '668 patent discloses a distributed firewall wherein each network device is equipped with its own packet filter. A packet filter simply retrieves a source address from a packet, and compares it with a list of addresses. The packet is then passed or dropped based on the results of the comparison. The determination whether to pass or drop the packet is normally implemented as a set of rules, e.g., if the address is on the list drop the packet.
Conventional distributed firewalls, such as the one disclosed in the '668 patent, however, are less than satisfactory for a number of reasons. For example, the distributed firewall described in the '668 patent is not capable of preventing “spoofing.” Spoofing refers to a technique wherein a packet sender attempts to access a firewall by impersonating another sender's address. For example, the filter module described in the '668 patent filters packets based on the source IP address embedded within the packet. A person could discover a source IP address with permission to access a secure site, and attempt to access the secure site by emulating the allowed source IP address. In other words, there is no technique for authenticating the identity of the sender. In another example, the '668 patent fails to address the telecommuting situation where a user often connects a computer to a corporate network via an unsecured link, e.g., the Internet. In such a case, there is no mechanism for protecting communications between the corporate network and the telecommuters' computer. Part of the problem with telecommuters is triangle routing, plus lack of protection for their machines when on the outside Internet.
From the foregoing, it can be appreciated that a substantial need exists for a distributed firewall that solves the aforementioned problems.